rule malware_macos_bella
{
    meta:
        description = "Bella is a pure python post-exploitation data mining tool & remote administration tool for macOS."
        reference = "https://github.com/Trietptm-on-Security/Bella"
        author = "@mimeframe"
    strings:
        // Bella.py
        $a1 = "Verified! [2FV Enabled] Account ->" wide ascii
        $a2 = "There is no root shell to perform this command. See [rooter] manual entry." wide ascii
        $a3 = "Attempt to escalate Bella to root through a variety of attack vectors." wide ascii
        $a4 = "BELLA IS NOW RUNNING. CONNECT TO BELLA FROM THE CONTROL CENTER." wide ascii
        // Control Center.py
        $b1 = "user_pass_phish" fullword wide ascii
        $b2 = "bella_info" fullword wide ascii
        $b3 = "get_root" fullword wide ascii
        // Builder
        $c1 = "Please specify a bella server." wide ascii
        $c2 = "What port should Bella connect on [Default is 4545]:" wide ascii
    condition:
        any of ($a*) or all of ($b*) or all of ($c*)
}
